Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How a Centralized Data Repository Can Make Compliance Management Suck Less
Quick Take
On this episode of Compliance Unfiltered, Adam opens up about his vast experience in the realm of Data Security and shares ways that listeners can better address their data storage issues.
Adam covers all the reasons why data repositories are broken for most organizations, why manual repositories fail, how PCI v4 will impact the space, and much more.
All on this episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the straw that stirs your compliance drink. Mr. Adam Goslin, how the heck are you, sir? I’m doing good. And we need to get ourselves closer to Cinco de Mayo for the euphemism. Fair enough, fair enough. Well, all days are good days to enjoy yourself, sir, especially in the compliance realm.
Speaking of, we’re going to talk about ways, specifically about how a centralized data repository can make compliance management suck less. So tell us more, Adam, about your experience in this realm. Well, a lot of people that are dealing with security and compliance style engagements are feeling stressed as they’re trying to get through and manage it. They’re at a good company, and they’re in good company in that I’ve spoke with a lot of compliance managers and CISOs that are busily toiling away, putting in 90-hour weeks, heading toward the annual audit, and losing sleep for months, and blah, blah, blah. And they’re just trying to hold everything together with a fine combination of duct tape and bubble gum and shoestrings. you know, all this fun stuff, and really compliance management just doesn’t have to be that way. It’s not an issue that, you know, it’s not just inherent to compliance, the main problem is when people are using manual systems. So, you know, you look at the data repository for most organizations, there are a multitude of ways that evidence is coming in for collection and use, etc. And, you know, that situation alone is the breeder of chaos and anxiety, and a ton of wasted time and effort as they go through their engagement. And people are basically just wearing themselves out and, you know, evaporating productivity, burning profitability, etc, simply as a result of how they’re doing the data collection and storage systems.
So, certainly we’ll talk about some ways to make that better as we go through the old pod today.
Well, I guess the best place to start, Adam, is why are these storage repositories broken for most organizations? Well, they’re just trying like hell to hold the program together. You know, a lot of the issues exist in the way that the data and information’s stored. So, you know, you’ve got receiving inputs from multiple sources, so some examples, one person sending their evidence as attachments on a thread of emails. Hell, just sticking in the email arena, right? You know, some people will send you this nice email and it’s got a nice subject line and exactly what it’s for and blah, blah, blah. Some people will basically go, oh, I need to send an email to Angela. So, they go, basically go and look at the last email that they had to and from Angela, do a reply, and then just plop it on there, you know? So, now I’m getting some email from Angela with a funny comment about the last company picnic or something, and I’ve now got evidence that I need is attached, is buried in there that I can never find again. You’ve got another person on the team sharing public links to the corporate or personal OneDrive, another person’s dropping data on the file server. They may or may not tell you that they actually put it there, even if they do. Now you’re back to the whole email discussion about did they, you know, make it nice and pleasantly clear for the person, poor soul that has to manage compliance. You know, you’ve got another person sending, you know, image evidence through text messages at you. You’ve got somebody that prints out reports and throws them on your desk. I mean, there’s just it’s unbelievably challenging. When you’re on these engagements, and you’re the one that’s got to pull it all together. It’s unbelievably challenging to wrangle all of that coming in from across a whole slew of different channels, from a bunch of different people, and trying to just make sure it lands, everything lands in the right spot type of a thing, that’s a job in and of itself, you know, you’ve got to not only take in the evidence that you that you get, you know, now you have to go ahead and start migrating it from all these disparate sources to this central place. You know, you’re now trying to manually track down evidence that you haven’t received yet, maybe you didn’t get it. Right, but we were talking earlier about somebody threw it on the file server, but never bothered to tell you type of a thing. Maybe you’re looking in the wrong spot. Oh, I’m pretty sure that Jennifer stuck this on the share drive or whatever, but meanwhile she put it someplace else. The storage job isn’t done once you’ve just received the evidence, but now you have to manually move that stuff to the central repository and track it as it’s going through its workflow. So you’ve got various steps now that you’ve got to go in and manage. You’ve got your internal quality assurance reviews. You’ve got handoffs to consultants or assessors. You’ve got tracking of the issues that they may have had with their initial reviews coming back at you. You’ve got making sure you’re getting the updated information and validating it before you’re passing it back up to the assessor or consultant. So through all of that, you have to have the intestinal fortitude basically to be absolutely OCD about how I do, where I pull it, da, da, da. You’ve got all of these, and the people that are listening to this pod right now are chuckling to themselves because what I’m describing, the reason why I can describe it so well is because I used to live in that arena. So I know the pain well, shall we say.
Well, why do manual repositories fail? Because that’s the first go-to here, right? Yeah, well, a lot of the Compliance Managers will attempt to set up some process to make sure everything gets submitted and stored in this lovely spot, etc. And it sounds like a glorious idea when you go ahead and first pen the note to everybody, but it doesn’t matter. It doesn’t matter how many people you train and no matter how many times you remind them and no matter how many times you send out, please submit your stuff this way. People are people, they’re lazy, they forget, they do whatever in the hell is convenient for them. Honestly, for some of them, some of the people submitting the evidence, they truly don’t give two craps about what you told them last go around, right? They’re like, hey, you know what? My only job is to get this stuff to Bob. So as long as I get it to Bob, then he can suck it, type of a thing. And that’s their attitude. And so you’re always getting this evidence coming at you from all these various channels. And as your engagement’s coming up to the finish line, you’ve got this sick, crescendo of activity, right? Everybody’s hauling ass trying to get everything done and get everything lined up. The activity level is sky high, you don’t have one or two things that are, you know, busily flying through the ether. You’ve got hundreds of things that are, you know, going up the workflow, back down the workflow, you know, etc. It’s almost impossible to keep up with. And, you know, at this point, your focus is, I just, I need to get the stuff to the assessor. I need to get, you know, for a lot of them, they’ll just leave the notion of the repository in the rear view mirror with a commitment to say, oh, you know what am I going to do? I’m going to clean this all up after. You want to know how many times that freaking happens? Like never, never, because the minute that you’re done, you know, the minute that the assessor says, okay, we’re all set. We’ve got all the people that have been involved in this, and especially the person that happens to be the eye of the compliance hurricane, they’ve been at this for weeks and months at this stage of the game. They’re way behind on their normal job or day job or other duties, blah, blah, blah. The minute that the note goes out, hey, we’re done, you know, effectively what ends up happening is somebody from management may or may not, but usually it goes something like this. Yeah, yeah, that’s great. Now I’ve got this list of stuff that I’ve been waiting to get, you know, so get your ass over here, let’s go, you know, type of a thing. And so that’s the way it works. You know, if you go with the route of I’ll go clean it up, again, all of the people listening to this are right now are chackling because they know damn well, they’ve come to their next year’s engagement. And it’s at that point in the game, they remember what an absolute shit show their last year’s track was and the fact that they can’t locate things, etc. You know, it’s just unfortunately kind of part of the part of the beast.
Yeah, well, here’s a tricky one. What impact will PCI version 4.0 have version four in general and beyond? Yeah, I mean, you know, if you’re going up against PCI DSS, you know, you got to make the conversion 3.2.1 to 4.0. Now, this response happens to use PCI as an example, but it’s the same example, regardless which compliance standard you happen to go up against. When they change the standard, you know, now all of a sudden they switch to this new one, guess what? No matter what system you were using, you know, now you need to go back to the drawing board, you’ve got hundreds of compliance elements, thousands of elements of evidence that are, you know, you know, going into this big old like bingo tumbler and just getting thrown all over the place because now I got to go in and restructure my repository against the new requirements. I’ve got to map things from 3.2.1 to 4.0, you know, and then you know, it’s almost like you took these thousands of items and now you’ve kind of shaken them up in the, in the bingo tumbler and you’re pulling them out one at a time. Okay. Where’s this one go? Okay. Now where’s this one go? So effectively when you have major changes to the compliance standards, it forces every organization that is leveraging their own way of doing things to go in and basically rebuild, you know, rebuild from scratch type of a thing. So it’s a gigantic, uh, wrinkle, uh, that gets thrown into the mix when, you know, when your compliance versions are changing.
Well, which central repository will improve things? Well we’re TCT you know, so, uh, it won’t shock anybody that, uh, you know, a central repository that actually works, the TCT portal, um, we originally brought it online back in 2015, um, and it’s been serving those in the compliance space ever since. It’s a fully automated central repository that you don’t need to go in and clean up ever, um, you know, it’s a single location to put everything into everything. So you can put in one place all your evidence, all of your explanations, uh, you know, all of your file attachments, all of your policies, you know, you can go ahead and, load the evidence straight into the portal, you know, you don’t have emails, text messages, hard copies, file sharing links, etc. When you put this process in place, you know, when a file is uploaded, it’s automatically stored off to a central location, mapped to the requirement that you’re associating the evidence with, you know, you’ve got hundreds of files that are all populated into the right spots, and you don’t have to go through touching any of them, you know, when you’re going through the pain of trying to hold your compliance engagement together, the TCT Portal will eliminate that, you know, eliminate that pain because you’re able to stay on top of your evidence that’s coming your way all year long, you’re not hounding people, you’re not having to check a dozen different places where they could have put stuff. The system will do things like handle the nagging of the people that need to do the evidence submission, so every morning, the system will send an email to anybody with open items, you know, you don’t need to figure out where you’re at and who still needs to do stuff, that’s all automatic within the system. Certainly one of the biggest benefits, and it’s kind of a misnomer out of the gate, is that, and do me a favor, Todd, remind me, I want to come back to this notion of, hey, you know, we were talking earlier about how you can lay out your process, but things go sideways, I want to come back to the notion of, okay, well, that’s great, you’re using TCT Portal, you know, same problem, I want to come back to that. I want to finish this thought out first. So, the centralized repository, what a lot of people don’t realize when they’ve got one place, everything goes, everything about compliance. When you do that, it’s deceiving the benefits you’re going to see in year two and year three Because of the fact that you have this one place to rule them all type of a thing, and everything went there. You know think about it, you know, some of these people haven’t produced this evidence in 11 and a half months, right? They don’t remember what they freaking gave you last year And one of the common questions that the eye of the hurricane gets the dubious joy of answering repeatedly is, well, what did I give you last year? So instead of answering that question, oh, I don’t know, 5,000 times, the user can just go in and go take a look, refer to what they provided last year, replicated, etc. Their life is easier and faster and better. Your life is easier and faster and better. You know, we’re not going through the continuous pounding of your head through a wall, you know, over answering the same damn question repeatedly. Not only that, but you’re able to see what wasn’t accepted by the assessor. Did you have to make any tweaks or alterations? What internal comments did you have about what you were trying to accomplish? You know, all of this stuff is right there.
In any organization these days, turnover is always an issue. So what happens when there was somebody that was provisioning a chunk of the evidence for last year that’s no longer at the company? You know, it doesn’t have to be Groundhog Day every time that you’re starting the, you know, starting the engagement with people. Number one, people asking what the hell I gave you last year. And two, you know, well, I’m doing this for the first time, so what did Mary provide last year? You know, type of a thing. It’s huge, the long-term benefits that you get out of that consolidation, it just, it saves hundreds, hundreds and hundreds of man hours, sleepless nights, overtime, all sorts of stuff, especially when you get into year two and beyond. Oh, it’s hugely beneficial.
So I did remember to come back to it. The, you know, the natural question, which I was thinking of as I was going through this, I just used TCT Portal, and poof, everything goes away. No, it’s not quite that easy, you still do have the training aspect, but the recommendation that I would give to folks that are, you know, that are doing this, because it’s going to happen, absolutely guaranteed it’s going to happen. You set out the expectations at the beginning of the engagement and you make it clear to everybody on the team. Your evidence will only be accepted if it goes through this particular channel. Please do that out of the gate and you’ll save yourself from having to redundantly do it. And when, not if, they send you the email or send you the text message or whatever it may be, you have a pat response, which is probably going to be on your clipboard, ready to paste in, you know, is. As we discussed, you’re going to go ahead and load this information into our central repository, etc, and we just don’t accept evidence that’s coming other directions. You know, everybody, not everybody, there are going to be people on the team which are like, cool, I get it. But there’s going to be people on the team that are going to push back. And the interesting part about that interchange is they may gripe, ,moan, and complain when you’re pushing back at them to go do it the way that you initially laid out was going to need to be the way. Initially, they’ll kind of rail against it and not be a fan and may even be cheesed off. But once those same people get to year two and they can see all of their stuff in one spot and they’re not wasting their time looking all over for it, they don’t have to come to you and wait to get an answer from you for questions that they have, etc. They can self-serve, easy reference. They could even have members of their team helping because there’s one place for everybody to go to see what was done last year. They start to see the benefits of it. And you see the level of griping starts to go down. Cherub starts singing and the skies open up, is that true? Yeah, I mean, I don’t know. I mean, it’s funny. I’ve had conversations with people. You say this about IT support back in the day. Nobody walks back when most of us used to work in an office. Nobody walks in in the morning and goes up into IT and hugs somebody because their email’s working. They don’t. They just assume the email’s working. However, if all of a sudden email isn’t working, oh, you can bet you’re going to have like a mutiny line marching toward your desk, you know, with, you know, pitchforks. and fire sticks and blah, blah, blah. Well, in the same sense, nobody’s gonna go running in and give you a big hug and say, thank you so much. And we’re so glad that you have a central repository. Yeah, let’s get realistic. People aren’t gonna do it, but it definitely does. It definitely does make things better. Is the change easy? I mean, that’s the question that’s always going to come up, right? I get it. I know that something needs to be done different than it’s currently being done, but how much is it gonna suck? Well, it’s gonna suck a little bit, but it’s only gonna suck for a limited period of time. You know, this is a pain with a purpose. Yes, you’re gonna need to go through some frustration and yes, the people are gonna go through some frustration. You know, any tool is only as good as you actually use it, as you actually enforce it. So, you know, if you’re going to adopt any compliance solution, you need to make a commitment as an organization to using that tool and only that tool. You know, while you’re gonna have the initial resistance from some, they’ll see the light. The light bulbs will start twinkling when they get to year two and to year three. In fact, you’re actually probably going to have to press these people to say, I want you to think back to the BS you used to go through two, three years ago. You remember when you couldn’t figure out whar the hell it was you needed to do? And then you need to wait for me to give you input and answers or you had to wait for a meeting so we could talk about it, da, da, da. And now you’re just able to go in and do your thing, reference your stuff, submit your things. It’s painless, you know, do you remember, you know? And then they’ll go, yeah, no, I do remember. It is so much better now, you know, type of a thing.
You know, you’re gonna see the payoff when you get in and you start using TCT Portal, it wins people over, you know, even those that hated the change. I have seen that happen time after time after time. You know, like I said, as you get into that second, third year, dude, honestly, it’s like the gripes that you went through in year one, distant memory, you know, they’re, you know, they’re seeing it, they’re understanding it, you know, they’re not gonna complain, oh, geez, you know, I really wanted to just hit an entire reset button and start from scratch this year, you know, type of a thing. You’re not hearing that coming out of them at all, you know. Instead they’ve got they’ve got last year’s and the years before information is at their fingertips and they’re basically ready to rock.
Parting shots and thoughts folks this week? Well TCT coined the phrase we’re here to make compliance management suck less and that’s been our charge since 2015. It comes on the backs of you know having done this ourselves you know, we went through the pain for a long time of trying to manage engagements with Excel sheets, network storage places blah, blah, blah. That really was the birth if you will of the TCT Portal, it came directly out of the pain that we personally went through trying to manage these damn engagements. So You know, it’s awesome. The TCT Portal is going to automate and eliminate an enormous amount of manual effort and pain that people are experiencing on their security and compliance engagements. The interesting part about using TCT portal, you know, your as a central repository, your people, their stress level goes way down their happiness, believe it or not, goes up. You know, evidence submissions are streamlined, they’re organized, they’re simplified. Just tons of hours are saved, you know, recovering wasted time and unproductive efforts. Your team is more effective, you’re accelerating through your security and compliance engagements. You know, everybody’s so busy these days, everybody. There aren’t many organizations that have a whole bunch of people that are just sitting around wondering what to do. And so, you know, that’s part of the reason why I press people on this to look at, you know, look at a compliance management tool like the TCT Portal to be able to leverage, you know, additionally. We got into this space to help people with their compliance and certainly to make it suck less. That said, you know, we don’t price the portal in such a way that we’re going to the Bahamas off the backs of a single organization. We price it in a cost effective manner. We basically, our methodology when we did the pricing was we wanted to set the price so that you’d have to be an idiot not to use the tool. It’s that cost effective, you know, type of a thing. The software itself, it pays for itself and then some in the first year. And by the time you get to year two plus, oh, you’re saving a lot more. It just all the way around. It makes things so much easier.
On TCT’s website, we’ve got some kind of ROI calculator tools that we’ve got available. We’ve got one for companies that are kind of going through compliance, we also have one for assessment audit firms as well, really apply to service providers. So if you go to the TCT’s website, the short way to get there is go to your browser, gettct.com. It’ll redirect you to the totalcompliancetracking.com site, go under resources, ROI calculators, and then you’ll see links to the applicant ROI calculator or the person going through compliance or applying to be certified. You’ll also see the other one for the assessors.
That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
